This talk showcases free/opensource utilities and how to use them to test IDSes and firewalls. There have been a few talks on the common weaknesses of both kinds of products, but no practical means by which to test for said weaknesses. The point of the talk is to enable people to test vendor's claims (or their own products) themselves. This talkwould be of interest to developers, security admins, product reviewers, and white/blackhat hackers. Knowledge of TCP/IP and programming are recommended.
I. What are firewalls/IDSes supposed to do? (expectations) a. stateful and non-stateful packet filters b. network-based and host-based IDSes
II. Common failings a. firewall 1. DoS 2. evasion b. IDS 1. DoS 2. evasion
III. How do you test for this? a. Everyone's favorite: nmap 1. firewall exploits: filling up state table 2. IDS exploits: fragmentation, ACK/FIN scans b. The isic suite of utilities 1. firewall: options handling/frag DoS, packet leakage 2. IDS: IDSes that process options/state confused c. Sample programs included with libnet 1. firewall: boink, ping of death, etc d. whisker 1. IDS: evasion
IV. Demonstration a. IDS: against libNIDS, IDS test cases above b. firewalls: against netfilter, firewall test cases above